Amendments to the Claims; 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

Listing of Claims; 

1 . (Currently Amended) A computer implemented method in a data processing system for 
managing access to resources, the method comprising: 

responsive to matching an entry in an access control list of a specific resource with credentials of 
a process, granting a security identifier given by the access control list to the process, wherein the security 
identifier has no meaning outside of being used to make an access decision for the specific resource^ 
wherein granting the security identifier further comprises: 

adding the security identifier to the credentials of the process to form an object access 
identifier, wherein the object access identifier is granted based on a path of execution: 

limiting a scope of the security identifier to an application space, wherein access rights 

associated with the security identifier are limited to a specific application, and wherein 

propagation of access rights is prevented by specifying the access rights are limited to the specific 

application: and 

responsive to granting the security identifier to the process, identifying the security 
identifier as an unavailable security identifier that is no longer available to be granted to other 
processes, wherein the security identifier is not reused : and 

responsive to the process requesting access to the specific resource, generating the access 
decision based on the security identifier. 

2. (Cancelled) 

3. (Currently amended) The computer implemented method of claim 1, wherein granting a security 
identifier given by the access control list to the process further comprises: 

adding the security identifier to the credentials of th e proc e ss to form an obj e ct access identifi e r, 
wherein the object accesa identifier is granted 

granting the security identifier to the credentials of the process based on an identity of the process 
and a second process invoked by the process , wherein the credentials of the process are modified based on 
the identity of the process and the path of execution by which the process is executed . 
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4. (Currently amended) The computer implemented method of claim 1 , wherein granting a security 
identifier given by the access control list to the process further comprises 

setting the security identifier in an access control list operation. 

5. (Currently amended) The computer implemented method of claim 1 further comprising: 
changing the security identifier in response to the process invoking a selected resource. 

6. (Currently amended) The computer implemented method of claim 1, wherein generating the 
access decision based on the security identifier further comprises: 

using the security identifier as an identity in an access control list to identify a right to the specific 
resource. 

7. (Currently amended) The computer implemented method of claim 1 , wherein the entry in the 
access control list is a first entry and wherein generating the access decision based on the security 
identifier further comprises: 

comparing a second entry in the access control list with the credentials of the process; and 
responsive to the second entry matching the security identifier in the credentials of the process, 

generating an access decision that grants the process access to the specific resource, wherein the security 

identifier is a right in an access control list. 

8 . (Currently Amended) A data processing system for managing access to resources, the data 
processing system comprising: 

granting means for granting a security identifier given by an access control list to a process in 
response to matching an entry in the access control list of a specific resource with credential of the 
process, wherein the security identifier has no meaning outside of being used to make an access decision 
for the specific resource , wherein granting the security identifier further comprises: 

adding means for adding the security identifier to the credentials of the process to form 
an object access identifier, wherein the object access identifier is granted based on a path of execution: 
limiting means for limiting a scope of the security identifier to an application space. 

wherein access rights associated with the security identifier are limited to a specific application. 

and wherein propagation of access rights is prevented by specifying the access rights are limited 

to the specific application: and 
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identifying means for identifying the security identifier as an unavailable security 
identifier that is no longer available to be granted to other processes in response to granting the 
security identifier to the process, wherein the securitv identifier is not reused : and 
generating means responsive to the process requesting access to the specific resource, for 
generating the access decision based on the security identifier. 

9. (Cancelled) 

10. (Currently amended) The data processing system of claim 8, wherein the granting means further 

comprises: 

adding means for adding the security identifier to the credentials of the process to form an object 
access identifier, wherein the object access identifier is granted based on an identity of the process and a 
second process invoked by the process , wherein the credentials of the process are modified based on the 
identity of the process and path of execution by which the process is executed . 

1 1 . (Previously presented) The data processing system of claim 8, wherein the granting means 
includes: 

setting means for setting the security identifier in an access control list operation. 

12. (Original) The data processing system of claim 8 further comprising: 

changing means for changing the security identifier in response to the process invoking a selected 
resource. 

13. (Original) The data processing system of claim 8, wherein the generating means includes: 
using means for using the security identifier as an identity in an access control list to identify a 

right to the specific resource. 

14. (Original) The data processing system of claim 8, wherein the security identifier is a right in an 

access control list. 

15. (Currently Amended) A computer program product in a computer readable medium in a data 
processing system for managing access to resources, the computer program product comprising: 

fiFSt-instructions for granting a security identifier given by an access control list to a process in 
response to matching an entry in the access control list of a specific resource with credentials of the 
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process, wherein the security identifier has no meaning outside of being used to make an access decision 
for the specific resource, wherein the instnic tions for granting the security identifier further comprises: 

instructions for adding the security id entifier to the credentials of the process to form an 
object access identifier, wherein the obi e ct access identifier is granted based on a path of execution: 

instructions for li miting a scope of the security identifier to an application space, wherein 
access rights associated with the security identifier are limited to a specific application, and 
wherein propagation of acces s rights is prevented by specifying the access rights are limited to 
the specific application; and 

instructions for identifying the security identifier as an unayailable security identifier that 
IS no longer available to be granted to other processes in response to granting the security 
identifier to the process, wherein the security identifier is not reused : and 
seeend-instructions responsive to the process requesting access to the specific resource, for 
generating the access decision based on the security identifier. 

16. (Cancelled) 

1 7. (Currently amended) The computer program product of claim 1 5, wherein the first instructions 
further comprises: 

sub-instructions for adding the security identifier to the credentials of the process to form an 
object access identifier, wherein the object access identifier is granted based on an identity of the process 
and a second process invoked by the process , wherein the credentials of the process are modified based on 
the identity of the process and the path of execution by which the process is executed . 

18. (Previously presented) The computer program product of claim 15, wherein the first instructions 
includes: 

sub-instructions for setting the security identifier in an access control list operation. 

19. (Currently amended) The computer program product of claim 15 further comprising: 
third instructions for changing the security identifier in response to the process invoking a 

selected resource. 

20. (Original) The computer program product of claim 15, wherein the second instructions includes: 
sub-instructions for using the security identifier as an identity in an access control list to identify a 

right to the specific resource. 
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2 1 . (Original) The computer program product of claim 15, wherein the security identifier is a right in 
an access control list. 

22. (Currently Amended) A data processing system comprising: 
a bus system; 

a memory connected to the bus system, wherein the memory includes a set of instructions; and 
a processing unit connected to the bus system, wherein the processing unit executes the set of 
instructions to grant a security identifier given by an access control list of a specific resource to a process 
in response to matching an entry in the access control list with credentials of the process, wherein the 
security identifier has no meaning outside of being used to make an access decision for the specific 
resource^and generate the access decision based on the security identifier responsive to the process 
requesting access to the specific resource , wherein executing the set of instructions to grant the security 
identifier given the access control list of the specific resource to the process further comprise: 

executing the set of instructions to add the security identifier to the credentials of the 
process to form an object access identifier, wherein the object access identifier is granted based 
on a path of execution: limit a scope of the security identifier to an application space, wherein 
access rights associated with the security identifier are limited to a specific application, and 
wherein propagation of access rights is prevented by specifying the access rights are limited to 
the specific application; and identify the security identifier as an unavailable security identifier 
that is no longer available to be granted to other processes in response to granting the security 
identifier to the process, wherein the security identifier is not reused . 

23 . (New) The computer implemented method of claim 1 wherein the security identifier uniquely 
identifies the path of execution taken by the process and further comprising: 

granting a different security identifier to the process based on a different path of execution taken 
by the process, wherein each security identifier granted to the process represents a different path of 
execution taken by the process. 

24. (New) The computer implemented method of claim 23 further comprising: 

examining a plurality of security identifiers added to the credentials of the process to uniquely 
identify execution states associated with the process. 
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25. (New) The computer implemented method of claim 1 further comprising: 

tracking paths of execution for the process using security identifiers added to the credentials of 

the process to form execution path information; and 

conveying the execution path information to a subsequent trusted process. 
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